ACCORDING to CISA, four new vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation, in a release dated 24 April 2026. The newly listed CVEs are CVE-2024-7399 (Samsung MagicINFO 9 Server Path Traversal Vulnerability), CVE-2024-57726 (SimpleHelp Missing Authorization Vulnerability), CVE-2024-57728 (SimpleHelp Path Traversal Vulnerability) and CVE-2025-29635 (D-Link DIR-823X Command Injection Vulnerability).
CISA notes that these vulnerability types are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. The KEV Catalog is described as a living list of known CVEs that carry significant risk, established under Binding Operational Directive 22-01, which requires remediation by Federal Civilian Executive Branch agencies; CISA strongly urges all organisations to prioritise timely remediation as part of their vulnerability management practice. The agency emphasises that while BOD 22-01 applies to FCEB agencies, reducing exposure to KEV Catalog vulnerabilities remains a national priority.